 |  |  |  |  |  |  |  |
Help - surf sidekick 3 is attacking!
 |
I read previous post where you suggested the person download 'hijack this' and do a copy of the log. Well, here is mine:
Scan saved at 8:36:50 PM, on 7/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Frag Five Camp Each] C:\Documents and Settings\All Users\Application Data\AcidPhoneFragFive\Real That.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169536.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\h84m0ih1e84.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
I have used spybot, adaware & xoftspy - but they cannot remove all files.
I currently cannot use add/remove programs (am thinking I am going to have to reformat
)
Can you help me at all???
Scan saved at 8:36:50 PM, on 7/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Frag Five Camp Each] C:\Documents and Settings\All Users\Application Data\AcidPhoneFragFive\Real That.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169536.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\h84m0ih1e84.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
I have used spybot, adaware & xoftspy - but they cannot remove all files.
I currently cannot use add/remove programs (am thinking I am going to have to reformat
)Can you help me at all???
•
•
Join Date: Feb 2006
Posts: 244
Reputation: 
Solved Threads: 13
Posting Whiz in Training
You also have a Look2Me infection, we will deal with that after SSK.
I am going to give you the fix from my website here..
SurfSideKick Removal
NOTE: There are several variants of SurfSideKick. Not all the files, folders, and HijackThis entries will be present on your sytem. If you do not find one or more of the items listed, just continue with the fix.
Print out these instructions.
Download and Install:
- CCleaner
- HijackThis
- Unlocker (Windows 2000/XP Only)
Download to your Desktop:
- SSKfix98 (Windows 98/ME only)
- SSKfixXP (Windows 2000/XP only)
Read and Understand the following:
- How to view hidden, system files & folders!
- How to search for hidden files on Windows XP
Identifying SurfSideKick
In HijackThis look for lines similar to the ones below Close all browsers and keep them closed throughout the entire removal process.
Step 1 - Stopping running Processes
In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight: Choose Kill Process
NOTE: If VCClient.exe and VCMain.exe are not present then continue.
Step 2 - Uninstalling SurfSideKick
Using Add or Remove Programs in the Control Panel uninstall the following:
Surfsidekick
Surfsidekick 2
Surfsidekick 3
If SurfSideKick is not in Add or Remove Programs, do the following:
Open Windows Explorer and check to see if any of the below exist. If not, skip to Step 3 - Cleaning. Otherwise continue with the below:
C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
If one or more of the above SSK entries are found in Program Files do the following:
Start -> Run
Type "C:\Program Files\SurfSideKick\ssk.exe" /u -> OK
Start -> Run
Type "C:\Program Files\SurfSideKick 2\ssk.exe" /u -> OK
Start -> Run
Type "C:\Program Files\SurfSideKick 3\ssk.exe" /u -> OK
WARNING: DO NOT reboot your computer if prompted to do so until you have run the uninstaller for each directory that is present.
Enter the given security code (generated automatically by the uninstaller) -> OK
Click on YES at the reboot prompt.
http://img24.imageshack.us/img24/9371/ssk17gh.jpg
Make sure PC boots to Safe Mode.
Step 3 - Cleaning (Done While in Safe Mode)
Open Windows Explorer and browse to:
- For Win2K/XP it may be in c:\windows\system32 or c:\winnt\system32
- For Win9x/Me it may be in c:\windows\system or c:\windows
Look for all instances of:
repairs.dll
repairs302972940.dll
repairs302972943.dll
repairs302972958.dll
repairs302972970.dll
repairs302972979.dll
repairs302972982.dll
repairs302972985.dll
repairs302972988.dll
once located, right-click > Unlocker > Unlock All
If none of the repairs.dll can be found then search for all files on the local hard drive using the search function in the Start Menu.
http://img239.imageshack.us/img239/9317/ssk25uu.jpg
NOTE: Windows98/ME Systems Unlocker won't be needed at all.
Immediately afterwards delete all instances of:
repairs.dll
repairs302972940.dll
repairs302972943.dll
repairs302972958.dll
repairs302972970.dll
repairs302972979.dll
repairs302972982.dll
repairs302972985.dll
repairs302972988.dll
Now follow the patch instructions for your system.
Patch Instructions:
~ Windows 98/ME ~
Run SSKfix98.exe
Run CCLeaner
Reboot in Normal Mode; run HijackThis and fix the following lines if they exist: Using Windows Explorer navigate to the following directories and delete them if they still exist:
C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient
~ Windows 2000/XP ~
Now run SSKfixXP.exe (towards the end of the process it might boot your PC if that occurs, make sure you keep tapping on the F8 key to boot back in Safe Mode). Run the fix again to complete the process.
Boot back into Safe Mode.
Run CCLeaner
Reboot in Normal Mode; run HijackThis and fix the following lines if they exist: Using Windows Explorer navigate to the following directories and delete them if they still exist:
C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient
Reboot once more into Normal Mode and run HijackThis and post the log as an attachment.
I am going to give you the fix from my website here..
SurfSideKick Removal
NOTE: There are several variants of SurfSideKick. Not all the files, folders, and HijackThis entries will be present on your sytem. If you do not find one or more of the items listed, just continue with the fix.
Print out these instructions.
Download and Install:
- CCleaner
- HijackThis
- Unlocker (Windows 2000/XP Only)
Download to your Desktop:
- SSKfix98 (Windows 98/ME only)
- SSKfixXP (Windows 2000/XP only)
Read and Understand the following:
- How to view hidden, system files & folders!
- How to search for hidden files on Windows XP
Identifying SurfSideKick
In HijackThis look for lines similar to the ones below
•
•
•
•
R3 - URLSearchHook: (no name) - {000AB005-FF12-42C2-8DF5-39E12E5F9C91} - C:\Program Files\SurfSideKick\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O20 - AppInit_DLLs: repairs.dll
O20 - AppInit_DLLs: repairs302972943.dll (NOTE: This may have a different number)
Step 1 - Stopping running Processes
In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:
•
•
•
•
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
NOTE: If VCClient.exe and VCMain.exe are not present then continue.
Step 2 - Uninstalling SurfSideKick
Using Add or Remove Programs in the Control Panel uninstall the following:
Surfsidekick
Surfsidekick 2
Surfsidekick 3
If SurfSideKick is not in Add or Remove Programs, do the following:
Open Windows Explorer and check to see if any of the below exist. If not, skip to Step 3 - Cleaning. Otherwise continue with the below:
C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
If one or more of the above SSK entries are found in Program Files do the following:
Start -> Run
Type "C:\Program Files\SurfSideKick\ssk.exe" /u -> OK
Start -> Run
Type "C:\Program Files\SurfSideKick 2\ssk.exe" /u -> OK
Start -> Run
Type "C:\Program Files\SurfSideKick 3\ssk.exe" /u -> OK
WARNING: DO NOT reboot your computer if prompted to do so until you have run the uninstaller for each directory that is present.
Enter the given security code (generated automatically by the uninstaller) -> OK
Click on YES at the reboot prompt.
http://img24.imageshack.us/img24/9371/ssk17gh.jpg
Make sure PC boots to Safe Mode.
Step 3 - Cleaning (Done While in Safe Mode)
Open Windows Explorer and browse to:
- For Win2K/XP it may be in c:\windows\system32 or c:\winnt\system32
- For Win9x/Me it may be in c:\windows\system or c:\windows
Look for all instances of:
repairs.dll
repairs302972940.dll
repairs302972943.dll
repairs302972958.dll
repairs302972970.dll
repairs302972979.dll
repairs302972982.dll
repairs302972985.dll
repairs302972988.dll
once located, right-click > Unlocker > Unlock All
If none of the repairs.dll can be found then search for all files on the local hard drive using the search function in the Start Menu.
http://img239.imageshack.us/img239/9317/ssk25uu.jpg
NOTE: Windows98/ME Systems Unlocker won't be needed at all.
Immediately afterwards delete all instances of:
repairs.dll
repairs302972940.dll
repairs302972943.dll
repairs302972958.dll
repairs302972970.dll
repairs302972979.dll
repairs302972982.dll
repairs302972985.dll
repairs302972988.dll
Now follow the patch instructions for your system.
Patch Instructions:
~ Windows 98/ME ~
Run SSKfix98.exe
Run CCLeaner
Reboot in Normal Mode; run HijackThis and fix the following lines if they exist:
•
•
•
•
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe (file missing)
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe (file missing)
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe (file missing)
O20 - AppInit_DLLs: repairs.dll (file missing)
O20 - AppInit_DLLs: repairs302972943.dll (file missing) (NOTE: This may have a different number)
C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient
~ Windows 2000/XP ~
Now run SSKfixXP.exe (towards the end of the process it might boot your PC if that occurs, make sure you keep tapping on the F8 key to boot back in Safe Mode). Run the fix again to complete the process.
Boot back into Safe Mode.
Run CCLeaner
Reboot in Normal Mode; run HijackThis and fix the following lines if they exist:
•
•
•
•
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe (file missing)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe (file missing)
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe (file missing)
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe (file missing)
O20 - AppInit_DLLs: repairs.dll (file missing)
O20 - AppInit_DLLs: repairs302972943.dll (file missing) (NOTE: This may have a different number)
C:\Program Files\SurfSideKick
C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient
Reboot once more into Normal Mode and run HijackThis and post the log as an attachment.
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Thanks heaps - that worked great!!
I didnt have to remove any 'repairs.dll' as there were none, and a search, including hidden files, failed to find any, and none of the programs used found any either.
Below is the HijackThis log as requested.
Shaz :-)
Logfile of HijackThis v1.99.1
Scan saved at 8:48:35 PM, on 8/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Frag Five Camp Each] C:\Documents and Settings\All Users\Application Data\AcidPhoneFragFive\Real That.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\i4060edseh060.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
I didnt have to remove any 'repairs.dll' as there were none, and a search, including hidden files, failed to find any, and none of the programs used found any either.
Below is the HijackThis log as requested.
Shaz :-)
Logfile of HijackThis v1.99.1
Scan saved at 8:48:35 PM, on 8/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Frag Five Camp Each] C:\Documents and Settings\All Users\Application Data\AcidPhoneFragFive\Real That.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\i4060edseh060.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Wonwon Rules!
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
Alright great!
One more scan that should also eliminate the Look2Me infection you have, along with others.
Spysweeper
http://www.ianag.com/files/14/SpySwe...MajorGeeks.exe
-Update it to the latest definitions and run it
-Remove everything it finds
-Save the log and attach it for me
Also attach one more HijackThis log for cleanup.
One more scan that should also eliminate the Look2Me infection you have, along with others.
Spysweeper
http://www.ianag.com/files/14/SpySwe...MajorGeeks.exe
-Update it to the latest definitions and run it
-Remove everything it finds
-Save the log and attach it for me
Also attach one more HijackThis log for cleanup.
Proud Member of ASAP (Alliance of Security Analysis Professionals)
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
After running the above steps, let's do this for the P2P Networking problem..
Download and unzip BFUzip
http://computercops.biz/zx/Merijn/bfu.zip
-Run the program and click the Web button
-Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu
-Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
Download and unzip BFUzip
http://computercops.biz/zx/Merijn/bfu.zip
-Run the program and click the Web button
-Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu
-Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Hey,
Okay, next 2 parts done.
Logs from spysweeper and hijack this after first stage are:
********
7:19 PM: | Start of Session, Thursday, 9 March 2006 |
7:19 PM: Spy Sweeper started
7:19 PM: Sweep initiated using definitions version 629
7:19 PM: Starting Memory Sweep
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:21 PM: Found Adware: icannnews
7:21 PM: Detected running threat: C:\WINDOWS\system32\n0r2la9o1d.dll (ID = 83)
7:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:22 PM: Found Adware: lopdotcom
7:22 PM: Detected running threat: C:\Program Files\Internet Explorer\iexplore.exe (ID = 299)
7:22 PM: Detected running threat: C:\WINDOWS\system32\qdgrprxy.dll (ID = 83)
7:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: Memory Sweep Complete, Elapsed Time: 00:04:17
7:24 PM: Starting Registry Sweep
7:24 PM: Found Adware: whenu save
7:24 PM: HKCR\acm.acmfactory\ (5 subtraces) (ID = 773927)
7:24 PM: HKCR\acm.acmfactory.1\ (3 subtraces) (ID = 773933)
7:24 PM: HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773937)
7:24 PM: HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773950)
7:24 PM: HKCR\appid\acm.dll\ (1 subtraces) (ID = 773960)
7:24 PM: HKCR\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773962)
7:24 PM: HKLM\software\classes\acm.acmfactory\ (5 subtraces) (ID = 773964)
7:24 PM: HKLM\software\classes\acm.acmfactory.1\ (3 subtraces) (ID = 773970)
7:24 PM: HKLM\software\classes\appid\acm.dll\ (1 subtraces) (ID = 773974)
7:24 PM: HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773976)
7:24 PM: HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773979)
7:24 PM: HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773992)
7:24 PM: Found Adware: accoona toolbar
7:24 PM: HKCR\clsid\{f80c1d93-0d22-436e-963e-9d3156997a4e}\ (4 subtraces) (ID = 954998)
7:24 PM: HKLM\software\classes\clsid\{f80c1d93-0d22-436e-963e-9d3156997a4e}\ (4 subtraces) (ID = 955055)
7:24 PM: Found Adware: command
7:24 PM: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
7:24 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
7:24 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
7:24 PM: Found Adware: dollarrevenue
7:24 PM: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
7:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: Found Adware: webrebates
7:24 PM: HKU\S-1-5-21-343818398-1202660629-839522115-1003\software\microsoft\internet explorer\menuext\web rebates.\ (2 subtraces) (ID = 866137)
7:24 PM: HKU\S-1-5-21-343818398-1202660629-839522115-1003\software\microsoft\internet explorer\urlsearchhooks\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (ID = 955003)
7:24 PM: Registry Sweep Complete, Elapsed Time:00:00:35
7:24 PM: Starting Cookie Sweep
7:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:24 PM: Starting File Sweep
7:25 PM: c:\program files\webrebates4 (53 subtraces) (ID = -2147470148)
7:25 PM: c:\program files\network monitor (ID = -2147459771)
7:25 PM: readme.txt (ID = 119871)
7:38 PM: uninstall_nmon.vbs (ID = 231442)
7:38 PM: Found Adware: look2me
7:38 PM: n0r2la9o1d.dll (ID = 159)
7:46 PM: jiiuckxz.exe (ID = 308)
7:47 PM: en08l1du1.dll (ID = 159)
7:47 PM: opjsel.dll (ID = 159)
7:47 PM: qdgrprxy.dll (ID = 159)
7:47 PM: Found Adware: targetsaver
7:47 PM: class-barrel (ID = 78229)
7:47 PM: lvlq0935e.dll (ID = 159)
7:48 PM: vocabulary (ID = 78283)
7:49 PM: real that.exe (ID = 308)
7:49 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Frag Five Camp Each (ID = 0)
7:50 PM: enp8l17u1.dll (ID = 159)
7:50 PM: webrebates.dll (ID = 207054)
7:50 PM: atomdefydeaf.exe (ID = 90)
7:50 PM: enc bend.exe (ID = 91)
7:50 PM: Found Adware: zquest
7:50 PM: dr21206.exe (ID = 251354)
7:51 PM: oye.vbs (ID = 185675)
7:51 PM: Warning: Failed to access drive D:
7:51 PM: File Sweep Complete, Elapsed Time: 00:26:40
7:51 PM: Full Sweep has completed. Elapsed time 00:31:40
7:51 PM: Traces Found: 188
8:02 PM: Removal process initiated
8:02 PM: Quarantining All Traces: icannnews
8:02 PM: icannnews is in use. It will be removed on reboot.
8:02 PM: C:\WINDOWS\system32\n0r2la9o1d.dll is in use. It will be removed on reboot.
8:02 PM: C:\WINDOWS\system32\qdgrprxy.dll is in use. It will be removed on reboot.
8:02 PM: Quarantining All Traces: look2me
8:02 PM: look2me is in use. It will be removed on reboot.
8:02 PM: n0r2la9o1d.dll is in use. It will be removed on reboot.
8:02 PM: qdgrprxy.dll is in use. It will be removed on reboot.
8:02 PM: lvlq0935e.dll is in use. It will be removed on reboot.
8:02 PM: Quarantining All Traces: lopdotcom
8:02 PM: lopdotcom is in use. It will be removed on reboot.
8:02 PM: real that.exe is in use. It will be removed on reboot.
8:02 PM: C:\Program Files\Internet Explorer\iexplore.exe is in use. It will be removed on reboot.
8:02 PM: Quarantining All Traces: dollarrevenue
8:02 PM: Quarantining All Traces: zquest
8:02 PM: Quarantining All Traces: accoona toolbar
8:02 PM: Quarantining All Traces: command
8:02 PM: Quarantining All Traces: targetsaver
8:03 PM: Quarantining All Traces: webrebates
8:03 PM: Quarantining All Traces: whenu save
8:03 PM: Preparing to restart your computer. Please wait...
8:03 PM: Removal process completed. Elapsed time 00:01:25
********
7:18 PM: | Start of Session, Thursday, 9 March 2006 |
7:18 PM: Spy Sweeper started
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: Your spyware definitions have been updated.
7:19 PM: | End of Session, Thursday, 9 March 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 8:10:00 PM, on 9/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
after running BFU:
BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 8:15:05 PM, on 9/03/2006
Warning: unknown command '
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
</head>
<body>
<table border="0" width="100%" cellspacing="0" cellpadding="0" id="table1" background="http://www.geekstogo.com/images/blue/background.jpg">
<tr>
<td width="355"><map name="FPMap0">
<area href="http://www.geekstogo.com" shape="rect" coords="1, 83, 48, 99">
<area href="index.php" shape="rect" coords="47, 82, 99, 99">
<area href="index.php?act=Search&f=" shape="rect" coords="99, 82, 148, 99">
<area href="http://www.geekstogo.com/archive.php" shape="rect" coords="147, 82, 195, 99">
<area href="http://www.geekstogo.com/aboutus.php" shape="rect" coords="196, 83, 241, 99">
</map>
<img border="0" src="http://www.geekstogo.com/images/blue/Left.jpg" usemap="#FPMap0"></td>
<td> </td>
<td align="right" width="470">
<map name="FPMap1">
<area href="index.php?act=UserCP&CODE=00" shape="rect" coords="269, 81, 325, 99">
<area href="index.php?act=Msg&CODE=01" shape="rect" coords="324, 81, 412, 99">
<area href="index.php?act=Members" shape="rect" coords="414, 82, 469, 99">
</map>
<img border="0" src="http://www.geekstogo.com/images/blue/Right.jpg" width="470" height="100" usemap="#FPMap1"></td>
</tr>
</table>
<p><font face="arial" size="+1"><b>Sorry, the requested page is not available.</b></font></p>
<p><font face="arial" size="-1">Please check the URL for proper spelling and
capitalization. If you're having trouble locating a destination on our site, try
our <b><a href="http://www.geekstogo.com/forum/index.php?act=Search&f=">site
search</a></b> or <b>
<a href="http://www.geekstogo.com/forum/index.php">click here</a></b>
to browse our <b><a href="http://www.geekstogo.com/forum/index.php">free
computer help forum</a></b>. Also, you may find what you're looking for on our
site if you try searching below.</font></p>
</center>
<!--IBF.NEWPMBOX-->
<script type="text/javascript">
<!--
function go_gadget_simple(){
window.location = "http://www.geekstogo.com/forum/index.php?s=&act=Search&mode=simple&f=";
}
function win_pop(){
window.open("http://www.geekstogo.com/forum/index.php?s=&act=Search&CODE=explain","WIN","width=400,height=300,resizable=yes,scrollbars=yes");
}
-->
</script>
<form action="http://www.geekstogo.com/forum/index.php?act=Search&CODE=simpleresults&mode=simple" method="post" name="sForm">
<div class="borderwrap">
<div class="formsubtitle" align="center"><hr>
<p style="margin-top: 0; margin-bottom: 0"><b>Search by Keywords</b></div>
<div class="tablepad" align="center">
<input type="text" maxlength="100" size="40" id="keywords" name="keywords" /><br />
<label for="keywords">Enter a keyword or phrase to search by.</label> [ <a href="#" title="Find out how to improve your search with boolean operators" onclick="win_pop()">Advanced Usage Help</a> ]
</div>
<div class="formsubtitle" align="center">
<p style="margin-top: 0; margin-bottom: 0"> </p>
<p style="margin-top: 0; margin-bottom: 0"><b>Search Where</b></div>
<div class="tablepad" align="center">
<select name='forums[]' class='forminput' size='10' multiple='multiple'>
<option value='all' selected="selected">» All Forums</option><option value="41">Operating Systems</option>
<option value="5"> |-- Windows NT/2000/2003/XP</option>
<option value="3"> |-- Windows 95/98/ME</option>
<option value="7"> |-- All Other Operating Systems</option>
<option value="40">Hardware</option>
<option value="9"> |-- Hardware/Components/Peripherals</option>
<option value="27"> |-- System Building/Overclocking</option>
<option value="11"> |-- Networking</option>
<option value="44">Internet</option>
<option value="28"> |-- Web Design & Web Hosting</option>
<option value="13"> |-- Spyware/Adware/Viruses</option>
<option value="37"> |---- HiJackThis Logs</option>
<option value="26"> |-- Internet/Browsers</option>
<option value="42">Software</option>
<option value="12"> |-- Applications</option>
<option value="19"> |-- Games</option>
<option value="25"> |-- Microsoft Office</option>
<option value="43">Community</option>
<option value="29"> |-- Live Chat</option>
<option value="45"> |-- Arcade</option>
<option value="16"> |-- Off-Topic</option>
<option value="15"> |-- Comments/Suggestions</option>
<option value="23"> |-- News and Updates</option>
<option value="30"> |-- GeekU</option>
<option value="34"> |---- Tutorials</option>
<option value="36"> |---- Tools and Resources</option>
<option value="33"> |---- Spyware Fixes (Special Cases)</option>
<option value="31"> |---- Canned Speeches</option>
<option value="35"> |---- Practice Hijack This logs</option>
<option value="32"> |---- "Check this proposed fix before I reply"</option>
<option value="38"> |---- Tips and Tricks</option>
<option value="39"> |---- Links to Live Logs</option>
<option value="24"> |---- Mods Only</option>
</select><br /><br />
<b>Show me</b>
<input type="radio" name="sortby" value="relevant" id="sortby_one" class="radiobutton" />
<label for="sortby_one">most relevant</label>
<input type="radio" name="sortby" value="date" id="sortby_two" checked="checked" class="radiobutton" />
<label for="sortby_two">most recent <strong>first</strong></label>
</div>
<div class="formsubtitle" align="center">
<p style="margin-top: 0; margin-bottom: 0">
<input type="submit" value="Perform the search" />
<input type="button" value="More Options" onclick="go_gadget_advanced()" />
</p>
<hr>
</div>
</div>
</form>
<p style="margin-top: 0; margin-bottom: 0"><font size="1" face="Arial">(c)2004
Geeks to Go</font></p>
</body>
</html>' on line #1
Script completed.
and completed Hijack This again (in case you wanted it)
Logfile of HijackThis v1.99.1
Scan saved at 8:19:57 PM, on 9/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\Program Files\PC Probs\bfu\BFU.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Wow, not sure how you know all this - but greatly appreciate your time.
Shaz :-)
Okay, next 2 parts done.
Logs from spysweeper and hijack this after first stage are:
********
7:19 PM: | Start of Session, Thursday, 9 March 2006 |
7:19 PM: Spy Sweeper started
7:19 PM: Sweep initiated using definitions version 629
7:19 PM: Starting Memory Sweep
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:21 PM: Found Adware: icannnews
7:21 PM: Detected running threat: C:\WINDOWS\system32\n0r2la9o1d.dll (ID = 83)
7:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:22 PM: Found Adware: lopdotcom
7:22 PM: Detected running threat: C:\Program Files\Internet Explorer\iexplore.exe (ID = 299)
7:22 PM: Detected running threat: C:\WINDOWS\system32\qdgrprxy.dll (ID = 83)
7:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: Memory Sweep Complete, Elapsed Time: 00:04:17
7:24 PM: Starting Registry Sweep
7:24 PM: Found Adware: whenu save
7:24 PM: HKCR\acm.acmfactory\ (5 subtraces) (ID = 773927)
7:24 PM: HKCR\acm.acmfactory.1\ (3 subtraces) (ID = 773933)
7:24 PM: HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773937)
7:24 PM: HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773950)
7:24 PM: HKCR\appid\acm.dll\ (1 subtraces) (ID = 773960)
7:24 PM: HKCR\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773962)
7:24 PM: HKLM\software\classes\acm.acmfactory\ (5 subtraces) (ID = 773964)
7:24 PM: HKLM\software\classes\acm.acmfactory.1\ (3 subtraces) (ID = 773970)
7:24 PM: HKLM\software\classes\appid\acm.dll\ (1 subtraces) (ID = 773974)
7:24 PM: HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773976)
7:24 PM: HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773979)
7:24 PM: HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773992)
7:24 PM: Found Adware: accoona toolbar
7:24 PM: HKCR\clsid\{f80c1d93-0d22-436e-963e-9d3156997a4e}\ (4 subtraces) (ID = 954998)
7:24 PM: HKLM\software\classes\clsid\{f80c1d93-0d22-436e-963e-9d3156997a4e}\ (4 subtraces) (ID = 955055)
7:24 PM: Found Adware: command
7:24 PM: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
7:24 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
7:24 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
7:24 PM: Found Adware: dollarrevenue
7:24 PM: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
7:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: Found Adware: webrebates
7:24 PM: HKU\S-1-5-21-343818398-1202660629-839522115-1003\software\microsoft\internet explorer\menuext\web rebates.\ (2 subtraces) (ID = 866137)
7:24 PM: HKU\S-1-5-21-343818398-1202660629-839522115-1003\software\microsoft\internet explorer\urlsearchhooks\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (ID = 955003)
7:24 PM: Registry Sweep Complete, Elapsed Time:00:00:35
7:24 PM: Starting Cookie Sweep
7:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:24 PM: Starting File Sweep
7:25 PM: c:\program files\webrebates4 (53 subtraces) (ID = -2147470148)
7:25 PM: c:\program files\network monitor (ID = -2147459771)
7:25 PM: readme.txt (ID = 119871)
7:38 PM: uninstall_nmon.vbs (ID = 231442)
7:38 PM: Found Adware: look2me
7:38 PM: n0r2la9o1d.dll (ID = 159)
7:46 PM: jiiuckxz.exe (ID = 308)
7:47 PM: en08l1du1.dll (ID = 159)
7:47 PM: opjsel.dll (ID = 159)
7:47 PM: qdgrprxy.dll (ID = 159)
7:47 PM: Found Adware: targetsaver
7:47 PM: class-barrel (ID = 78229)
7:47 PM: lvlq0935e.dll (ID = 159)
7:48 PM: vocabulary (ID = 78283)
7:49 PM: real that.exe (ID = 308)
7:49 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Frag Five Camp Each (ID = 0)
7:50 PM: enp8l17u1.dll (ID = 159)
7:50 PM: webrebates.dll (ID = 207054)
7:50 PM: atomdefydeaf.exe (ID = 90)
7:50 PM: enc bend.exe (ID = 91)
7:50 PM: Found Adware: zquest
7:50 PM: dr21206.exe (ID = 251354)
7:51 PM: oye.vbs (ID = 185675)
7:51 PM: Warning: Failed to access drive D:
7:51 PM: File Sweep Complete, Elapsed Time: 00:26:40
7:51 PM: Full Sweep has completed. Elapsed time 00:31:40
7:51 PM: Traces Found: 188
8:02 PM: Removal process initiated
8:02 PM: Quarantining All Traces: icannnews
8:02 PM: icannnews is in use. It will be removed on reboot.
8:02 PM: C:\WINDOWS\system32\n0r2la9o1d.dll is in use. It will be removed on reboot.
8:02 PM: C:\WINDOWS\system32\qdgrprxy.dll is in use. It will be removed on reboot.
8:02 PM: Quarantining All Traces: look2me
8:02 PM: look2me is in use. It will be removed on reboot.
8:02 PM: n0r2la9o1d.dll is in use. It will be removed on reboot.
8:02 PM: qdgrprxy.dll is in use. It will be removed on reboot.
8:02 PM: lvlq0935e.dll is in use. It will be removed on reboot.
8:02 PM: Quarantining All Traces: lopdotcom
8:02 PM: lopdotcom is in use. It will be removed on reboot.
8:02 PM: real that.exe is in use. It will be removed on reboot.
8:02 PM: C:\Program Files\Internet Explorer\iexplore.exe is in use. It will be removed on reboot.
8:02 PM: Quarantining All Traces: dollarrevenue
8:02 PM: Quarantining All Traces: zquest
8:02 PM: Quarantining All Traces: accoona toolbar
8:02 PM: Quarantining All Traces: command
8:02 PM: Quarantining All Traces: targetsaver
8:03 PM: Quarantining All Traces: webrebates
8:03 PM: Quarantining All Traces: whenu save
8:03 PM: Preparing to restart your computer. Please wait...
8:03 PM: Removal process completed. Elapsed time 00:01:25
********
7:18 PM: | Start of Session, Thursday, 9 March 2006 |
7:18 PM: Spy Sweeper started
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: Your spyware definitions have been updated.
7:19 PM: | End of Session, Thursday, 9 March 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 8:10:00 PM, on 9/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
after running BFU:
BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 8:15:05 PM, on 9/03/2006
Warning: unknown command '
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
</head>
<body>
<table border="0" width="100%" cellspacing="0" cellpadding="0" id="table1" background="http://www.geekstogo.com/images/blue/background.jpg">
<tr>
<td width="355"><map name="FPMap0">
<area href="http://www.geekstogo.com" shape="rect" coords="1, 83, 48, 99">
<area href="index.php" shape="rect" coords="47, 82, 99, 99">
<area href="index.php?act=Search&f=" shape="rect" coords="99, 82, 148, 99">
<area href="http://www.geekstogo.com/archive.php" shape="rect" coords="147, 82, 195, 99">
<area href="http://www.geekstogo.com/aboutus.php" shape="rect" coords="196, 83, 241, 99">
</map>
<img border="0" src="http://www.geekstogo.com/images/blue/Left.jpg" usemap="#FPMap0"></td>
<td> </td>
<td align="right" width="470">
<map name="FPMap1">
<area href="index.php?act=UserCP&CODE=00" shape="rect" coords="269, 81, 325, 99">
<area href="index.php?act=Msg&CODE=01" shape="rect" coords="324, 81, 412, 99">
<area href="index.php?act=Members" shape="rect" coords="414, 82, 469, 99">
</map>
<img border="0" src="http://www.geekstogo.com/images/blue/Right.jpg" width="470" height="100" usemap="#FPMap1"></td>
</tr>
</table>
<p><font face="arial" size="+1"><b>Sorry, the requested page is not available.</b></font></p>
<p><font face="arial" size="-1">Please check the URL for proper spelling and
capitalization. If you're having trouble locating a destination on our site, try
our <b><a href="http://www.geekstogo.com/forum/index.php?act=Search&f=">site
search</a></b> or <b>
<a href="http://www.geekstogo.com/forum/index.php">click here</a></b>
to browse our <b><a href="http://www.geekstogo.com/forum/index.php">free
computer help forum</a></b>. Also, you may find what you're looking for on our
site if you try searching below.</font></p>
</center>
<!--IBF.NEWPMBOX-->
<script type="text/javascript">
<!--
function go_gadget_simple(){
window.location = "http://www.geekstogo.com/forum/index.php?s=&act=Search&mode=simple&f=";
}
function win_pop(){
window.open("http://www.geekstogo.com/forum/index.php?s=&act=Search&CODE=explain","WIN","width=400,height=300,resizable=yes,scrollbars=yes");
}
-->
</script>
<form action="http://www.geekstogo.com/forum/index.php?act=Search&CODE=simpleresults&mode=simple" method="post" name="sForm">
<div class="borderwrap">
<div class="formsubtitle" align="center"><hr>
<p style="margin-top: 0; margin-bottom: 0"><b>Search by Keywords</b></div>
<div class="tablepad" align="center">
<input type="text" maxlength="100" size="40" id="keywords" name="keywords" /><br />
<label for="keywords">Enter a keyword or phrase to search by.</label> [ <a href="#" title="Find out how to improve your search with boolean operators" onclick="win_pop()">Advanced Usage Help</a> ]
</div>
<div class="formsubtitle" align="center">
<p style="margin-top: 0; margin-bottom: 0"> </p>
<p style="margin-top: 0; margin-bottom: 0"><b>Search Where</b></div>
<div class="tablepad" align="center">
<select name='forums[]' class='forminput' size='10' multiple='multiple'>
<option value='all' selected="selected">» All Forums</option><option value="41">Operating Systems</option>
<option value="5"> |-- Windows NT/2000/2003/XP</option>
<option value="3"> |-- Windows 95/98/ME</option>
<option value="7"> |-- All Other Operating Systems</option>
<option value="40">Hardware</option>
<option value="9"> |-- Hardware/Components/Peripherals</option>
<option value="27"> |-- System Building/Overclocking</option>
<option value="11"> |-- Networking</option>
<option value="44">Internet</option>
<option value="28"> |-- Web Design & Web Hosting</option>
<option value="13"> |-- Spyware/Adware/Viruses</option>
<option value="37"> |---- HiJackThis Logs</option>
<option value="26"> |-- Internet/Browsers</option>
<option value="42">Software</option>
<option value="12"> |-- Applications</option>
<option value="19"> |-- Games</option>
<option value="25"> |-- Microsoft Office</option>
<option value="43">Community</option>
<option value="29"> |-- Live Chat</option>
<option value="45"> |-- Arcade</option>
<option value="16"> |-- Off-Topic</option>
<option value="15"> |-- Comments/Suggestions</option>
<option value="23"> |-- News and Updates</option>
<option value="30"> |-- GeekU</option>
<option value="34"> |---- Tutorials</option>
<option value="36"> |---- Tools and Resources</option>
<option value="33"> |---- Spyware Fixes (Special Cases)</option>
<option value="31"> |---- Canned Speeches</option>
<option value="35"> |---- Practice Hijack This logs</option>
<option value="32"> |---- "Check this proposed fix before I reply"</option>
<option value="38"> |---- Tips and Tricks</option>
<option value="39"> |---- Links to Live Logs</option>
<option value="24"> |---- Mods Only</option>
</select><br /><br />
<b>Show me</b>
<input type="radio" name="sortby" value="relevant" id="sortby_one" class="radiobutton" />
<label for="sortby_one">most relevant</label>
<input type="radio" name="sortby" value="date" id="sortby_two" checked="checked" class="radiobutton" />
<label for="sortby_two">most recent <strong>first</strong></label>
</div>
<div class="formsubtitle" align="center">
<p style="margin-top: 0; margin-bottom: 0">
<input type="submit" value="Perform the search" />
<input type="button" value="More Options" onclick="go_gadget_advanced()" />
</p>
<hr>
</div>
</div>
</form>
<p style="margin-top: 0; margin-bottom: 0"><font size="1" face="Arial">(c)2004
Geeks to Go</font></p>
</body>
</html>' on line #1
Script completed.
and completed Hijack This again (in case you wanted it)
Logfile of HijackThis v1.99.1
Scan saved at 8:19:57 PM, on 9/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\Program Files\PC Probs\bfu\BFU.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Wow, not sure how you know all this - but greatly appreciate your time.
Shaz :-)
Wonwon Rules!
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
Alright - doesn't look like BFU worked correctly.
Let's do this
Run thru the BFU procedure once again
When it completes, scan with HijackThis and check the following
Now with ALL Browsers closed, click FIX CHECKED
Now download PocketKillbox
http://files3.majorgeeks.com/files/8...in/killbox.exe
Open Killbox
-Copy and Paste C:\WINDOWS\System32\p2pnetworking.exe into the box
-It will appear in blue if it exists
-Choose the Delete on Reboot option
-Click the red X to confirm and allow it to reboot
-If you get a Pending error, or if it doesnt reboot on its own - reboot manually
Now attach one more HijackThis log - also when we are done with this we will need to update your Java
Let's do this
Run thru the BFU procedure once again
When it completes, scan with HijackThis and check the following
•
•
•
•
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Now download PocketKillbox
http://files3.majorgeeks.com/files/8...in/killbox.exe
Open Killbox
-Copy and Paste C:\WINDOWS\System32\p2pnetworking.exe into the box
-It will appear in blue if it exists
-Choose the Delete on Reboot option
-Click the red X to confirm and allow it to reboot
-If you get a Pending error, or if it doesnt reboot on its own - reboot manually
Now attach one more HijackThis log - also when we are done with this we will need to update your Java
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Hi,
Did the above - killbox didnt find the file.
New log:
Logfile of HijackThis v1.99.1
Scan saved at 9:26:50 PM, on 10/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Shaz :-)
Did the above - killbox didnt find the file.
New log:
Logfile of HijackThis v1.99.1
Scan saved at 9:26:50 PM, on 10/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartFoxie] C:\Program Files\Foxie Suite\StartFoxie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CashIso] C:\DOCUME~1\Shaz\APPLIC~1\STOPPI~1\MoreBeepOption.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A38DDD8E-E970-4208-9FFE-DDC07371E65E}: NameServer = 203.193.200.2 203.193.193.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Shaz :-)
Wonwon Rules!
•
•
Join Date: Feb 2006
Posts: 244
Reputation:
Solved Threads: 13
Posting Whiz in Training
That log looks fine - just to make sure, please use Killbox and try the following two paths:
The BFU script was supposed to eliminate it, and perhaps it did, but it was still in the log so I want to verify.
After that download the newest Java here
http://www.java.com/en/download/manual.jsp
Afterwords uninstall the older version thru Add/Remove Programs and you should be fine if you are not having anymore problems.
•
•
•
•
C:\WINDOWS\p2pnetworking.exe
C:\p2pnetworking.exe
After that download the newest Java here
http://www.java.com/en/download/manual.jsp
Afterwords uninstall the older version thru Add/Remove Programs and you should be fine if you are not having anymore problems.
Proud Member of ASAP (Alliance of Security Analysis Professionals)
Thanks heaps - have really appreciated your time.
All seems to be fine - except my add/remove programs opens but wont show any files, it just sits and says "please wait while the list is being populated..." - I think this is a separate issue????
I can repost this for someone else to help me with if its another time consuming issue.
Shaz :-)
All seems to be fine - except my add/remove programs opens but wont show any files, it just sits and says "please wait while the list is being populated..." - I think this is a separate issue????
I can repost this for someone else to help me with if its another time consuming issue.
Shaz :-)
Wonwon Rules!
|
Similar Threads
- Surf Sidekick has taken over my computer (Viruses, Spyware and other Nasties)
- surf sidekick 3 and a trojan on OutLook (Viruses, Spyware and other Nasties)
- surf sidekick 3 and other nondesirables (Viruses, Spyware and other Nasties)
- Surf Sidekick be a vicious beastie (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: can't read hijackthis report
- Next Thread: memory virus
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
